And legal issues ;) If you're a total newbie, you can A) Search forums (and blogs) for tutorials on Web Application Security; B) Read The Web Application Hackers Handbook.

Both things are worth doing, even though I didn't read the second one, it certainly did look interesting ;) I think reading that book will probably be a shortcut to most, to get most of the basics and even some more advanced stuff.

When you're ready to dive into the more advanced stuff, with or without programming knowledge, you need to find some good resources for web app sec like ha.ckers.org, etc. ;) (Find them yourself, you should. If you're going to become a real hardcore web app hacker.)

And last but not least, learn how to spot coding errors in e.g. PHP scripts so you can find 0days yourself as well. Sometimes, it's boring to look through a billion lines of code, but then you can alternatively grab a copy of the web app, install it on your own server, test it for vulnerabilities ;) (With your own methods, NO automated scanners. In most popular web app's they wouldn't do any good except waste your time. This doesn't apply to addons for popular web apps, as the addons are often vulnerable.)

When I think of RE I think of compiled code. If you're trying to test a specific web application, it wont help. If you're trying to find 0 days in the web server that the web app is running on, you could RE the binaries of the webserver.

I want to read that book. Looks and sounds better than Hacking Exposed: Web Applications 3rd Edition (granted I've only thumbed the other one and going on what I've heard here). Not that I'm knocking HE:WA3E.

Anyway the new edition of The Web Application Hackers Handbook is due out in September. I'm waiting til then to order.

It's good to learn about, but don't start with this unless you want to go deep straight ahead. Reverse engineering PHP applications is not really necessary, but reverse engineering flash scripts may become useful in some cases, including java applications as well. (With PHP scripts you either have the source and search through it for errors, or you fuzz all possible user-input fields, or combine both!)

Cascading Style Sheets I presume you're referring to, and not XSS (Cross-Site Scripting). You won't use it that much, but for XSS it can prove very useful to know about. Sometimes, a CSS file may contain hidden directories as well and generally it is very easy to learn, as the CSS language is very easy.

JavaScript on the other hand, which is not the same as Java at all, may take some time to learn.

MaXe wrote:When you're ready to dive into the more advanced stuff, with or without programming knowledge, you need to find some good resources for web app sec like ha.ckers.org, etc. ;) (Find them yourself, you should. If you're going to become a real hardcore web app hacker.)